ClientCertsandS/MIMESigningandEncryp5on:AnIntroduc5on

MAAWG24

12:30‐2:30,Monday,Feb20,2012OlympicRoom,Wes>nMarketSt,SFO

JoeStSauver,Ph.D.(joe@uoregon.edu)MAAWGSeniorTechnicalAdvisor

hPp://pages.uoregon.edu/joe/maawg24/

Disclaimer:Theopinionsexpressedinthistalkrepresentthoseofitsauthor,anddonotnecessarilyrepresenttheopinionofanyotheren9ty.

Preface

2

StrongCryptographyandFederal/Interna5onalLaw

•  Strongcryptographyiscri>caltocomputerandnetworksecurity,includingenablingsecureauthen>ca>onandonlinecommerce,protec>ngpersonallyiden>fiableinforma>on(PII)storedonline,andlegi>matelyensuringpersonalprivacyforlaw‐abidingci>zens.

•  Atthesame>me,strongcryptographyissubjecttocomplexregula>oninmanycountries,includingtheUnitedStates.Why?Useofencryp>onmakesitharderforna>onalsecurityagenciesandlawenforcementorganiza>onstolawfullyinterceptcriminalcommunica>onsandna>onal‐security‐relatedcommunica>ons.

•  Therefore,ourgoalwhentalkingaboutstrongcryptographyistoalwaysabidebyfederallawsandinterna>onaltrea>esrela>ngtocontrolsoverstrongcryptography,andtodowhatwhatwecantoensurethatstrongcryptographydoesn'tgetmisusedinwaysthatmighteitherharmourna>onalsecurityorinterferewiththelawfulinves>ga>onandprosecu>onofcriminals.

3

SinceWe’llBeGivingYouStrongCryptoProducts...•  Youwarrantthatyouaren’tbarredfromobtainingandusingstrongcrypto

productsorsoIware,NORareyoubarredfromreceivingtrainingonit.

•  Specifically,thismeansthatyouassertthatyouareNOTaci>zen,na>onal,orresidentofBurma,Cuba,Iran,Iraq,NorthKorea,Sudan,Syria,oranyothercountryblockedfromobtainingstrongcryptographyproducts.

•  YouareNOTa"deniedperson,"a"speciallydesignatedna>onal,"oranysimilarindividualforbiddentoaccessstrongcryptographybytheUSgovernment(www.bis.doc.gov/complianceandenforcement/liststocheck.htm)

•  Youareneitheraterroristnoratrafficker/userofillegalcontrolledsubstances,NORareyoudirectlyorindirectlyinvolvedinthedesign,development,fabrica>onoruseofweaponsofmassdestruc>on(includingimprovisedexplosivedevices,nuclear,chemical,biological,orradiologicalweapons,normissiletechnology,see18USCChapter113B)

•  YouagreeNOTtoredistributeorretransfercryptographicproductsorsodwaretoanyonewhoisinoneofthepreviouslymen>onedprohibitedcategories.

•  Youunderstandandagreethattheforgoingisbywayofexampleandisnotanexhaus>vedescrip>onofallprohibiteden>>es,andthatthisisnotlegaladvice.Forlegaladvicerela>ngtostrongcrypto,pleaseconsultyourownaPorney. 4

"First,DoNoHarm"

•  Someofyoumaywantto“followalong”aswegothroughtoday’strainingmaterials.Ifso,that’sterrific.HoweverpleaseONLYdosoifyou’vegotarecentbackupofyoursystem,andyoursystem(ifsuppliedbyyouremployer)isNOT"lockeddown"byyourcorporateITdepartment.

•  IfyouhaveNOTbackedupyoursystemrecently,oryourcorporateITdepartmentdoesNOTwantyouto>nkerwithyourlaptop,pleasefeelfreetowatchwewegoovertodaybutpleasedonottrytoinstallanynewsodwareorotherwisemodifyyoursystem.

•  Also,ifyoualreadyhaveaclientcer>ficateinstalledonyoursystem,youmaywanttorefrainfrominstallinganotherone,andinpar>cularPLEASEdoNOTinten5onallydeleteanyclientcer5ficatesyoumayalreadyhaveinstalledonyoursystem!

5

Oh,AndForThoseofYouWhoMayHaveBeenWorried,No,We'reNotGoingtoDiveIntoAnyAdvancedCrypto‐RelatedMathema5csToday

•  OurfocustodayisonhelpingyougettothepointwhereyoucanactuallyuseS/MIMEandclientcer>ficates,andgelngyoutothepointwhereyouunderstandtheprac>callimita>onsassociatedwiththosetechnologies.Youdonotneedadvancedmathema>cstodothat.

•  Soifyouhatedmathema>csinhighschoolorcollege,relax.:‐)Virtuallyeverythingwe’regoingtotalkabouttodayshouldbenon‐mathema>cal.

•  Let’sdiverightin.6

I.Introduc5on

7

WhyMightWeNeedToSignand/orEncryptEmail?

•  Putsimply,regularemailishorriblyinsecure.

•  Emailistrivialtospoof:eventechnicallyunskilleduserscansimplyputbogusiden>tyinforma>onintothepreferencespaneloftheiremailclientandvoila,they're"Santa"(orprePymuchanyoneelsetheywanttobe).Youjustcan'ttrustthenon‐cryptographically‐signedcontentsofemailthatyoumayreceive–itmayallbecompleterubbish.

•  Mostemailisalsotrivialtosniffonthewire(orreadinthemailspool):messagesnormallyaren'tencryptedwhentransmiPedorstored,sounauthorizedpar>escanreadyourcommunica>ons."Trustedinsiders"mayalsoaccessconfiden>alcommunica>ons.

•  Let'stakealookatacoupleofprac>calexamplesofthesesortofexposures.

8

TheSimpleRoadtoSpoofingEmail:JustChangeYourPreferencesinMozillaThunderbird

9[Yes,thiswillwork.Butno,goodliPleboysandgirlsshouldn'ttryit.]

"ButWon'tSPFand/orDKIMEliminatetheSpoofingProblem?"

•  SincethisisMAAWG,I*knew*thatsomeonewouldaskthis.:‐)

•  LetmeaskYOU:isphishings>llaproblem,eh?•  Morefundamentally,SPF/DKIMalsocannotprotectyouagainst

emailthatisinjectedfromanauthorizedsource.Classicexample:‐‐Collegefacultymemberandherstudentsallhaveaccountsinthesameexample.edudomain,andallsendfrom"oncampus"‐‐Amaliciousclassmemberforgesmessagefromacampuscomputerlab,pretendingtobethefacultymember,"cancellingclass"or"assigningextrahomework"(orwhatever).SPFandDKIMaren'tdesignedtodefendagainstthissortofscenario.

•  Securityfolkstendtolikebelt‐and‐suspender("defenseindepth")solu>onsanyhow,andjustbecauseyou’redoingSPForDKIM,thatdoesn'tprecludealsodoingmessagelevelcrypto,right?

10

ASimpleExampleofHowEasyItIsToSniffTypicalPlainTextEmailUsingWireshark

•  Sendasimplemailmessage...

% mailx -s "testing 123" joe@gladstone.uoregon.eduHi Joe!

I don't think this is very secure, do you?

Joe .

•  IfsomeoneisusingWiresharktowatchyourtraffic,they'dsee:

11

"ButJoe!AllOurNetworksAreSwitchedEthernet!There'dBeNoTraffictoSniff!"

•  Sitessome>meshaveafalsesenseofsecuritywhenitcomestotheirvulnerabilitytosniffing.Specifically,somemaybelievethatbecausetheyuseswitchedethernet,trafficintendedforagivensystemwillONLYflowtotheappropriatesystem'sswitchport.

•  Youshouldbeawarethatmanyswitchescanbeforcedtoactlikehubsthroughavarietyofwellknowntechniques(seeforexamplehPp://ePercap.sourceforge.net/).Thus,evenifyourinfrastructureisintendedtoisolatetrafficonaper‐portbasis,inprac>ce,thatprocessmayfailtomaintaintrafficsepara>on.

•  Youalsocan'tensurethattrafficwon'tbesniffedonceitleavesyourlocalnetwork.

•  Therefore,youshouldassumethatanyunencryptednetworktraffic,includingmostemail,canbesniffedandread.

12

OfCourse,IfSomeone'sGotRoot,TheyCanLookAtAnythingOnTheSystem,IncludingEmailMsgs... % suPassword: # cat /var/mail/joe From joe@canard.uoregon.edu Sun Feb 12 14:30:54 2012Return-Path: <joe@canard.uoregon.edu>Received: by canard.uoregon.edu (Postfix, from userid 501) id 5C221D537D4; Sun, 12 Feb 2012 14:30:54 -0800 (PST)To: joe@canard.uoregon.eduSubject: Some thoughts on the insider threatMessage-Id: <20120212223054.5C221D537D4@canard.uoregon.edu>Date: Sun, 12 Feb 2012 14:30:54 -0800 (PST)From: joe@canard.uoregon.edu (Joe St Sauver)Status: O

Hi Joe,

I wonder if a system admin with root priv could read the mail that's sitting in my mail spool? You know, I bet s/he could...

Joe 13

BUTIfYourEmailIsEncrypted,ItMayNotMa_erIfSomeoneDoesALi_le"Browsing:"TheFollowingIsn'tVeryInforma5ve,IsIt?

MIAGCSqGSIb3DQEHA6CAMIACAQAxggNbMIIBkQIBADB5MGQxCzAJBgNVBAYTAlVTMRIwEAYD VQQKEwlJbnRlcm5ldDIxETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBT dGFuZGFyZCBBc3N1cmFuY2UgQ2xpZW50IENBAhEAowXASR0JSE0KE5HSe8RXCTANBgkqhkiG 9w0BAQEFAASCAQAphc3r5MLFw43hOcMzlb/UG9DEaFPyFtcaiN8koelnok2DVdcAtSb9wulU iKjw4jps8GwqPeonzC8o+RMyktiFwMvM/QfN4zMUbfxsJr0i7FpnveROp+V8Cyo2hDuJpa/d GjRI560cDnH2z4tnYOO9/SJBCvLIIRjfnnnuJlS12VF00kcA9sfJI23QWhauisoef0ZhvAOw

11wHi8o+4icSe6iT18rR+Sr9MDhulDdfVCfmYwDfBi4SAqzbLK1FZfSj7aIjphlcFV4JKXr3 HyEz2afYRCGYUUaGk1zjcfhh4Eqkah6TwZ8QCtWUTsYdhuZdHGHw6zbBuSUYxzRG2NiRMIIB wgIBADCBqTCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMT MENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAKgC OyLlmfFLiBBlWracUfMwDQYJKoZIhvcNAQEBBQAEggEAOc1JpNLx+62m1To69oxFd3/fMEvo

UDkL1nSQe5LDhKnH3DXmH2vvTN0Q0h8vjGbkcGklCD11164VRi380QrtVYTsYCl9tB1kuHam SH+xJIIsLkNasYWnCXwzji+Uw80GiAP9/CgB/aYJhhYJt1HRQ+43S9m3xgpdK//aCOIjmKLl prFiQ1Jk5Wx3Sqm/Kkg89m9ulln1ckpIBrvTxNsikZmFwh4QGcCtz42+mTGZXcbrrn9yfT0F 4ds9xDbBm5e/Se/aq4vpfX0yi0/UP8/ywJ5+zG2ufyJw4i2h2O3vyD6WzX7PiYuzsn232RkR

[That base64 encoded file is actually a base64 encoded encrypted file] 14

EmailIsAlsoPoten5allySubjecttoLawfulInterceptand/orCompulsory(orEvenVoluntary)Disclosure

15hPp://www.cybercrime.gov/ssmanual/ssmanual2009.pdfatpage138

ReducingTheTransportEmailSniffingVulnerability:Opportunis5cSSL/TLSEncryp5on

•  Youcanreducetheextenttowhichemailtrafficissubjecttosniffingonthewirebyenablingopportunis>cSSL/TLSencryp>on.ThismeansthatiftheMTAsonbothsidesoftheconversa>onarereadyandwillingtodoSSL/TLSencryp>on,itwillbenego>atedandusedwheneveritcanbe.Seeforexample:

hPp://www.exim.org/exim‐html‐3.20/doc/html/spec_38.htmlhPp://www.posdix.org/TLS_README.htmlhPp://www.sendmail.org/~ca/email/starPls.html

•  However,SSL/TLSwillnotprotectemailoverlinksthatdon'thaveTLS/SSLenabled,nordoesitprotectstoredmailonceithasbeenreceivedandsavedtodiskatitsdes>na>on.Thatis,itisnot"end‐to‐end."

16

Obtaining*End‐to‐End*Protec5onRequiresMessage‐LevelSigningandEncryp5onE.G.,UseofPGP/GPG,orUseofS/MIME

•  Therearetwobasicapproachestogelngend‐to‐endprotec>onforemailmessages:

•  PrePyGoodPrivacy(PGP)(orGNUPrivacyGuard(GPG)),seeRFC4880,*OR*

•  S/MIME(RFC5751)withpersonalcer>ficates.

•  PGP/GPGisprobablythemorecommonofthosetwoop>ons,buttodaywe'regoingtotalkaboutS/MIMEwithclientcer>ficates,instead.

•  Beforewecandigin,however,weneedaliPle"cryptobackfill"17

PublicKeyCryptography

•  Therearebasicallytwotypesofcryptography:symmetrickeycrypto,andpublickey(asymmetric)crypto.

•  Insymmetrickeycryptography,amessagegetsencryptedANDdecryptedusingthesamesecretkey.Thatmeansthatbeforeyoucanshareasecretmessagewithsomeone,youneedasecretkeyyou'vebothpreviouslyagreedupon(chicken,meetegg).

•  BothPGP/GPGandS/MIMEwithpersonalcer>ficates,ontheotherhand,relyonpublickeycryptographytosignorencryptmessages.Inpublickeycryptography,theusercreatesapairofmathema>cally‐relatedcryptographickeys:oneprivatekeythatonlytheuserknows,plusarelatedpublickeythatcanbefreelysharedwithanyonewho'sinterested.Havingauser'spublickeydoesn'tallowyoutoderivethatuser'scorrespondingprivatekey,butitdoesallowyoutocreateanencryptedmessageforthatuserviaa"oneway"or"trapdoor"mathema>calprocess.

18

ButWait,There'sMore!PublicKeyCryptographyCanSlice,DiceandMakeJulienneFries,Too...

•  Well,thatmaybeaslightexaggera>on.

•  Butpublickeycryptographydoesallowyoutodoatleastonemorecooltrick:theholderoftheprivatekeycanalsodigitallysignafilewiththeirprivatekey.Oncethatfileisdigitallysigned:

‐‐itcan'tbechangedwithoutinvalida>ngthemessagesignature(e.g.,itactsasanan>‐tamperingchecksumvalue)

‐‐anyonewhohasacopyofthecorrespondingpublickeycanverifythatitwassignedbysomeonewhohadaccesstothecorrespondingprivatekey

19

HowDoCer5ficatesFitIntoAllThis?

•  Sofarwe'veonlybeentalkingaboutpublickeysandprivatekeys.Youmaywonderhowcer>ficatesfitintoallthis.

•  Theansweristhatcer>ficatesaPachaniden>tytoacryptographickeypair.

•  Ifyou'relikemostfolks,whenyouhear"cer>ficates"inanonlinecontext,youthinkofSSLwebservercer>ficates.That'snotwhatwe'regoingtobetalkingabouttoday.Thosecer>ficatesareissuedtoservers.Thecertswe'regoingtotalkabouttodaygetissuedto*people*,instead.

•  Butfirst,let'sbeginwithsomethingwe'reallfamiliarwith:mee>nganewpersoninreallife.

20

MappingUserstoIden55esIn“RealLife”•  IfImeetyouface‐to‐face,perhapsattheMAAWGsocialevent,

youmighttellme,"Hi,I'mRobertJones.Nicetomeetyou!"Inacasualcontextatasocialeventofthatsort,wemightsmile,shakehands,exchangecards,engageinsomechitchat,andleaveitatthat–itdoesn'treallymaPerifyouare(oraren't)whoyouclaimtobe.I'lljusttemporarilyaccept(andthenunfortunatelyprobablyquicklyforget)your"self‐assertediden>ty."That'sOK.

•  IfitturnsoutthatIeventuallyneedconfirma>onofwhoyouare,Imightasktrustedcolleagues,"Hey,seethatguyoverthere?Whoishe?"Iftheyallsay,"Oh,that'sRobertJones.I'veknownhimforyears,"thatmightgivemeconfidencethatyoureallyarehim.

•  Other>mes,forexampleifyou'reinastrangecity,orsomeone'strus>ngyouwithavaluableasset(suchasarentalcar),youmightneedtoshowadriverslicenseorothergovernmentissuedIDsincenoone"knowsyourname."

21

MappingUsersToIden55esOnline:PGP/GPG•  Asimilarproblemexistsonline.Howdoyouknowwhichpublicly

offeredPGP/GPGkeysistherealonethataperson'sactuallyusing,andnotapretender'screden>als?InPGP/GPG,thisisdoneviaa"weboftrust."

•  InPGP/GPG,aPGP/GPGpublickeygetsdigitallysignedbyotherPGP/GPGuserswhohavepersonallyconfirmedthatperson’sID.(ThisodengetsdoneatPGP/GPG"keysigningpar>es").Normallyakeyholderwillgetsignaturesfrommul>plefriendsorcolleagues.

•  Recursively,howdoyouknowthatyoushouldtrustthosesignatures?Well,thosesignaturesweremadewithkeysthathaveALSObeensignedbyothercolleagues,andsoonandsoforth.

•  Whilethissoundsincrediblyadhocandkludgy,inprac>ce,itactuallyworksprePywell(atleastfortechnicalusers)–itreallyisasmallworldoutthere,"sixdegreesofKevinBacon"‐wise.

22

TheWebofTrustIsForKeys(NotNecessarilyTheirOwners)

•  Animportantnoteaboutthecryptographic"weboftrust:"

SomeonesigningaPGP/GPGkeyisnotsayingthatthat personwho'skeythey'vesignedisa"trustworthy"person.

TotallyevilpeoplemayhaveproperlysignedPGP/GPGkeys!

•  Whensomesignsanotherperson'sPGP/PGPkey,they'reonlysayingthat:

‐‐they'velookedatthatperson'sgovernmentissuedID,‐‐thatpersonindicatedthatthatthatpublickeyistheirs.

Thatis,they'rebindinganiden9tytoacryptographiccreden9al.23

PersonalCer5ficates•  InthecaseofS/MIMEwithpersonalcer>ficates,aweboftrust

isn'tused.IntheS/MIMEcase,trustgetsestablishedhierarchically("topdown").

•  Thatis,apersonalcer>ficateistrustedbecauseithasbeenissuedbyabroadlyacceptedcer>ficateauthority("CA"),anen>tythatyou(andmostotherInternetusers)acceptasreliableforthepurposeofbindingiden>>estocreden>als.

•  CAstendtobeverycarefulwhenitcomestodoingwhattheysaythey'regoingtodo(e.g.,verycarefultodowhattheysaythey'regoingtodointheir"Cer>ficatePrac>cesStatement"),becauseiftheydon't,people(includingbrowservendors!)willstoptrus>ngthemandthenthey'llquicklybetotallyoutofbusiness(literally).

24

ARealName,orJustAnEmailAddress?•  Theremaybesomeconfusionwhenitcomestothe"iden>ty"that

acryptographiccreden>alasserts–isitaperson's“realname”(e.g.,asshownontheirdriver'slicenseortheirpassport),orisitsomethingmoreephemeral,suchasjusttheiremailaddress?

•  Theansweris,“itmaydepend.”Somestandardassurancepersonalcer>ficatesonlyvalidateauser'scontroloveranemailaddress,typicallybysendingacryptographicchallengetothataddress.That'sthesortofclientcertswe'llbeworkingwithtoday.

•  Otherclientcer>ficatesmayrequiremuchmorerigorous"iden>typroofing,"perhapsrequiringtheusertosupplygovernmentissuediden>fica>on(oreventoundergoacompletebackgroundcheck)beforetheygetissuedahigherassuranceclientcert.

25

HSPD‐12andFederalCAC/PIV‐ICards•  OnAugust27th,2004,then‐PresidentGeorgeW.Bush

issued"HomelandSecurityPresiden>alDirec>ve12,"(seehPp://www.idmanagement.gov/documents/HSPD‐12.htm)manda>ngtheestablishmentofacommoniden>tystandardforfederalemployeesandcontractors.

•  Asaresult,thefederalgovernment(andapprovedcommercialcontractorsac>ngonthegovernment'sbehalf)havealreadycollec>velyissuedmillionsof"CommonAccessCards"("CACs")and"PersonalIden>tyVerifica>on‐Interoperable"("PIV‐I")smartcards.

•  "Firstresponders"alone(asdefinedinHSPD‐8)mayul>matelyrequireissuanceofover25.3millionsuchcards.(seehPp://www.dhs.gov/xlibrary/assets/Partnership_Program_Benefits_Tax_Payers_Public_and_Private_Sector.pdf)

•  Thatis*NOT*atoy‐scalecertprojectbyanymeans!

26

27Source:hPp://www.idmanagement.gov/presenta>ons/HSPD12_Current_Status.pdf

CAC/PIVIsA"ProofByExample"ThatCertsAreUsableBy"MereMortal"End‐Users

•  IfitwastoohardtoissueoruseaCAC/PIVcard,millionsoffederalemployeesandcontractorswouldbehavingtroubledoingso.Butthey'renot.Forthemostpart,PKIonhardtokensorsmartcardsnow"justworks."

•  Thisisnottosaythattherearen't*some*intricaciesthatmayneedtobeexplained.Onesitethat'sdoneaterrificjobofusereduca>onistheNavalPostgraduateSchool.Checkouttheiroutstandingtri‐foldbrochureexplaininghowtouseamilitaryCACcard,see

hPp://www.nps.edu/Technology/Security/CAC‐guide.pdf

Withthehelpofthatguide,IthinkmostfolkswouldbeabletofigureouthowtodobasicCAC/PIVtasks.

28

WhyAreTheFedsUsingClientCerts?IfYouNeed"LOA‐4",They'reBasicallyYourOnlyPrac5calOp5on

•  NIST800‐63Version1.0.2(seecsrc.nist.gov/publica>ons/nistpubs/800‐63/SP800‐63V1_0_2.pdf)says:

"Level4–Level4isintendedtoprovidethehighestprac>calremotenetworkauthen>ca>onassurance.Level4authen>ca>onisbasedonproofofpossessionofakeythroughacryptographicprotocol.Level4issimilartoLevel3exceptthatonly“hard”cryptographictokensareallowed,FIPS140‐2cryptographicmodulevalida>onrequirementsarestrengthened,andsubsequentcri>caldatatransfersmustbeauthen>catedviaakeyboundtotheauthen>ca>onprocess.ThetokenshallbeahardwarecryptographicmodulevalidatedatFIPS140‐2Level2orhigheroverallwithatleastFIPS140‐2Level3physicalsecurity.Byrequiringaphysicaltoken,whichcannotreadilybecopiedandsinceFIPS140‐2requiresoperatorauthen>ca>onatLevel2andhigher,thislevelensuresgood,twofactorremoteauthen>ca>on."

29

SomeFederalHighSecurityApplica5onsThatUseClientCertsMayBeSurprising

30

ClientCertsCanEvenBeSecureEnoughforUseinConjunc5onwithNa5onalSecuritySystems

•  Seethe"Na>onalPolicyforPublicKeyInfrastructureinNa>onalSecuritySystems,"March2009(hPp://www.cnss.gov/Assets/pdf/CNSSP‐25.pdf)makesitclearthatclientcertsevenformthefounda>onforNSSuses:

"(U)NSSopera>ngattheunclassifiedlevelshallobtainPKIsupportfromtheestablishedFederalPKIArchitecture."(U)NSSopera>ngattheSecretlevelshallobtainPKIsupportfromtheNSS‐PKI."(U)TheNSS‐PKIhierarchyshallrestonaRootCer>ficateAuthority(CA)operatedonbehalfofthena>onalsecuritycommunityinaccordancewithpoliciesestablishedbytheCNSSPKIMemberGoverningBody.TheNSS‐PKIRootCAshallserveastheanchoroftrustfortheNSS‐PKI."

•  TS/SCI("JWICS")counterpartoftheNSS‐PKI?IC‐PKI.31

WhatIfAUser(orCA)NeedsToRevokeACert?•  Unfortunately,unlike"takingback"aphysicaldoorkeyorculng

upacreditcard,it'sharderto"takeback"anelectroniccreden>al.

•  CRLs("cer>ficaterevoca>onlists")weremeanttohandlethisproblem,muchlikethoseprintedbooksofstolenorrevokedcreditcardnumbersthateverymerchantusedtogetfromthebankcardcompaniesintheolddays.MostCAscurrentlypublishaCRLonceaday.SomeusersmaydownloadthosedailyCRLs,butmostdon't.Andifyou'reaCA,oryou'reauserwithacompromisedcert,youreallydon'twanttohavetowaitupto24hourstorevokeacompromisedcreden>al,nordoyoureallywantmillionsofusertoeachhavetopoten>allydownloadahugefilelis>ngpilesofrevokedcer>ficates!

•  OCSP("onlinecer>ficatestatusprotocol")wasmeanttohandlethisissuemuchmoredirectly,andinterac>vely,butmanybrowsersandemailclientsdon'tbothercheckingacert'sOCSPstatus.Ugh. 32

OK,That'sEnoughBackground–Let'sGetStarted

•  Wecouldtalkforhourswhenitcomestoprovidingcryptobackground,butlet'sjustdiverightinandseehowthisallprac>callyfitstogether.

•  Thenextpartofouragendalookslike:

‐‐applyingforaclientcert‐‐successfullydownloading/installingitinFirefox‐‐backingitup‐‐installingthecertinThunderbird‐‐configuringThunderbirdtodoS/MIME

33

II.GemngAFreeS/MIMEClientCer5ficate

34

GemngaFreeClientCertforS/MIMEWithFirefox

•  TodoS/MIME,you’llneedanemailaccountandaclientcert.We’llassumeyoualreadyhaveanemailaccountyoucanuse,andwe’llgetourfree‐for‐personal‐useclientcer>ficatefromComodo.Thankyou,Comodo!Togetit,goto:hPp://>nyurl.com/free‐cert(hPp://www.comodo.com/home/email‐security/free‐email‐cer>ficate.php)

•  We’regoingtouseFirefoxtoapplyforanddownloadourcertfromComodo.WhileyoucanuseprePymuchanypopularbrowserwithclientcerts,forthepurposeofthistraining,ifyou'refollowingalong,aswegothroughthis,pleaseONLYuseFirefox.Ifyoudon’talreadyhaveFirefox,youcangetitforfreefrom:hPp://www.mozilla.org/en‐US/firefox/fx/

•  Macvs.PCorLinux:Althoughwe’llbeusingFirefoxonaMacintheseslides,FirefoxonMicrosodWindowsorLinuxwillbevirtuallyiden>cal.

35

Comodo’sFreeSecureEmailCer5ficateWebSite

36

TheApplica5onFormYou’llComplete

37

SuccessfulApplica5on…

38

Atthispoint,folks,pleasecheckyouremailfromComodo.You’llneedtogototheweblinkthatthey’vesentyou…

Collec5ngYourCer5ficate

39

Tocollectyourcer9ficate,usingtheSAMEBROWSERontheSAMESYSTEMyouusedtoapplyforyourcer9ficate,gototheURLyouweresentinemailandpluginyouremailaddressandtheuniquepasswordthattheyprovided

SuccessfulCer5ficateDownload…

40

"WhereElseCanIGetClientCerts?"

•  Whilewe'reonlygoingtoshowuseofthefreeoneyearComodoclientcertforpersonaluseinthistraining,youcanalsogetapaidclientcertfromComodo's"EnterpriseSSL"division,andfreeorpaidclientcertsfromothervendors.See,forexample:

‐‐hPp://www.enterprisessl.com/ssl‐cer>ficate‐products/addsupport/secure‐email‐cer>ficates.html

‐‐hPp://www.globalsign.com/authen>ca>on‐secure‐email/digital‐id/compare‐digital‐id.html

‐‐hPp://www.symantec.com/verisign/digital‐id/buy

‐‐hPp://www.trustcenter.de/en/products/tc_personal_id.htm

41

III.ExaminingandBackingUpYourNewClientCer5ficate

42

"Okay,I'veGotMyClientCert.WhatDoIDoNow?"

•  WhenComodogaveyouyourclientcert,rememberthattheyrecommendedthatyoubackitup.

•  Weagreethat'sagoodidea.

•  Youalsoneedto"backupyourcer>ficate"inordertobeabletogetitintoThunderbirdforuseinemail.

•  Therefore,launchFirefoxifyouaren'talreadyrunningit.

43

InFirefox,GotoFirefox‐‐>Preferences…

44

TheFirefoxCer5ficateManager

45

Notes:Selectthe“YourCer>ficates”tabontheCer>ficateManagerpanel.Ifnecessary,hitthetriangulararrowtoexpandthelistofComodocer>ficates.You’llprobablyonlyseeonecer>ficate,theoneyoujustgotfromComodo.ButjustasamaPerofform,let’sconfirmthatitreallyisyours…

TheGeneralTabTellsUsWhenTheCertExpires

46

TheDetails“ViewCert”TabWillLetUsSeeTheEmailAddressAssociatedWithOurNewCert

47[Closethe“ViewCer5ficate”boxwhenyou’redonelookingatit]

Okay,We’vePickedThe“RightOne,”SoLet’sBackItUp…

48

The“NameYourBackup”DialogBox

49

Pickanameforyourcer>ficatebackupfile.Itshouldendwitha.p12fileextension.Forexample,youmightcallthisfilemycertbackup.p12BesureyousaveitasaPKCS12typefile.

TheCertManagerBackup‐PasswordDialogBox

50

Pickastrongpasswordtosecureyourcertbackupfile.

PLEASEDONOTFORGETTHATPASSWORD!YOUWILLNEEDIT!

BackupSuccessful…

51

NotethatyoushouldsaveacopyofyourbackuptoaCD,athumbdrive,orsomeexternaldevicejustincaseyouloseyoursystem,yourdrivecrashes,etc.

IV.Impor5ngYourCer5ficateIntoThunderbird

52

We’reNowGoingToImportOurNewCer5ficateIntoThunderbird

•  Whiletherearemanydifferentpopularemailclients,we’regoingtoshowyouhowtoimportyourclientcertintoThunderbird.(Laterwe’llalsoexplainhowtouseOutlook,andhowtouseclientcertsinGmailwebemailwithPenango,butfornow,we’regoingtofocusonThunderbird)

•  Ifyoudon’talreadyhaveThunderbird,andyou’dliketogetandinstallitnow,youcangetitforfreefrom:hPp://www.mozilla.org/en‐US/thunderbird/

•  NotethatThunderbirdhasanautomatedinstalla>onwizardthatshouldbeabletocorrectlyconfigureitselfinmostcases.Onecau5ontoanynon‐technicalpersonlookingattheseslides:insemngupyouraccount,chooseIMAP(and*NOT*POP)foryouraccounttype!IfyouselectPOP,youmaydownload(andthendelete)allthemailthatyou'vehadstoredonyouraccount!

53

“WhyCan’tThunderbirdJustUseTheCertThatI’veAlreadyGotInstalledinFirefox?

They'reBothMozillaApplica5ons,Aren'tThey?”

•  Yes,bothFirefoxandThunderbirdAREfromMozilla.

•  Whilesomeapplica>onsrelyoncer>ficatesstoredcentrallyinasingleopera>ng‐system‐providedcer>ficatestore(e.g.,inthe“keychain”ontheMac),FirefoxandThunderbirddoNOTdothis.

•  FirefoxandThunderbirduseseparateper‐applica>oncer>ficatestores,instead.Thisgivesuserstheflexibilitytotailorwhatcertsgetpoten>allyshowntoeachsuchapplica>on,butthedownsideisaslightlymorecomplicatedini>alsetup(youneedtoinstallyournewcer>ficateinmul>pleloca>ons)

•  Forwhatitmaybeworth,atleastThunderbird’spreferencesshouldlookveryfamiliartoyouaderlookingatFirefox’s

54

InThunderbird,GotoThunderbird‐‐>Preferences…

55

InTheCer5ficateManager,“YourCer5ficates”Tab,ClickonImport

56

SelectThe.p12BackupFileYouWantToImport

57

SupplythePasswordYouUsedforTheCertBackup

58

SuccessfulImporta5onofTheCertIntoThunderbird

59

V.InThunderbird,AssociateYourCer5ficateWithYourEmailAccountAnd

ConfigureThunderbirdToDoDigitalSigning

60

Thunderbird:Tools‐‐>AccountSemngs

61

Security

62

SelectTheCertYouWantToUseForDigitalSigning

63

ConfirmThatYouWantToAlsoUseThatSameCertforEncryp5ng/Decryp5ngMessages

64

MakeSureYou’reSetToDigitallySignYourMessagesByDefault

65

ThunderbirdConfigura5onIsNowComplete…

•  Thehardpartisover!Youarenowsettoautoma>callydigitallysignyourThunderbirdemailmessagesbydefault.

•  Andthegoodpartisthatnowthatyou’vegotyourselfsuccessfullyconfigured,youwon’thavetoscrewaroundwithanyofthisforroughlyayear(e.g.,un>ljustbeforeyourfreeComodopersonalcer>ficateisclosetoexpiring)

•  Huzzah!

66

VI.DigitallySigningAMessageInThunderbird

67

StartWri5ngAMessageTheWayYouNormallyWould

68NOTETHE“DIGITALLYSIGNED”SEALATTHEBOTTOMRIGHTCORNER!

Op5onal:ConfirmThatTheMessageWillBeSigned

69

ClickOnThePadlockIconOnTheBarOrTheLiMleRedSealInTheBoMomRightCornerIfYouEverWantToDoubleCheck!

ProceedtoSendYourMessage

•  …justlikeyounormallywould.Itwillautoma>callybedigitallysignedwithyourcer>ficate.

•  Yourrecipientswillseeyournormalmessage,plusanaddi>onal“p7s”aPachmentthatwillhaveyourpublickey/cer>ficate.

•  Ifyourcorrespondent’semailclientsupportsS/MIME,itwillautoma>callycheckandvalidateyourdigitalsignature.

•  Ifyourcorrespondent’semailclientdoesn’tsupportS/MIME,theycanjustsafelyignoretheextrap7saPachment.

70

VII.Encryp5ngAMessageInThunderbird

71

Signingvs.Encryp5ng

•  Digitallysignedmessagesestablishwhopreparedthebodyofthemessage,butanyonecans>llreadthatmessage:it’scryptographicallysigned,it’snotencrypted.

•  Ifthebodyofyourmessageissensi>ve,youmayalsowanttoconsiderencryp>ngitsothatonlytheintendedrecipient(orsomeonewithaccesstohisprivatekey)canreadit.

•  Oh,anditgoeswithoutsayingthatamessagecanbebothsignedANDencrypted,ifthat'sappropriate.

72

GemngThePublicKeyofYourCorrespondent

•  Toencryptamessageyou’llneedyourcorrespondent’spublickey.

•  Buthowwillyougethispublickey?Answer:you’llhavetherecipientsendyouadigitallysignedmessage,first.

•  Youremailclientwillautoma>callyextracthispublickeyandcertitneedsfromthatdigitallysignedmessageyoureceivedfromhim.

•  Ifdigitalcertsaredeployedthroughoutyourenterprise,youmayalsobeabletogetpublickeysandclientcertsforyourcorrespondentsfromyourenterprisedirectory,butthatmodelfallsapartwhenyouaPempttoextenditInternet‐wide.

73

AMetaQues5on:ShouldIEncryptTheMailISend?

•  Maybeyes,maybeno.

•  Firstofall,notethatyouwon’tbeabletoencryptunlessyourcolleagueisALSOsetuptodoS/MIME,andyourcorrespondenthasalreadysentyouatleastonesignedmessage(soyou’llhavehispublickeyandcert)

•  Ifthecontentofyouremailisn’tsensi>ve,youprobablydon’tneedtoencryptit.Itmaybe“cool”toencryptallthemessagesyoucan,butifyoudon’tneedto,youmightwanttoskipit.Why?–  Well,ifyoureceiveencryptedcontent,youwon’tbeabletosubsequently

easilysearchthosemessages.

–  And,ifyouhappentoloseyourprivatekey,youwillbeS‐O‐Lunlessyouhaveyourkeybackedup(andyoucanrememberitspassword!),oryourkeyhasbeenescrowed.Ifyourkeyisn'tbackeduporescrowed,canyoureallyaffordtopoten>allyloseallthecontentencryptedwiththatkey?

74

HedgingTheRiskofDataLoss:KeyEscrow•  Let'spretendthatyouhaveapersonwho'sdoingabsolutely

cri>cal(andhighlysensi>ve)workforyouoryourcompany,andyouwantthemtorou>nelyencryptasaresult.Atthesame>me,assumethatpersonisoverweight,hashighbloodpressure,drinksandsmokes,crossesthestreetwhiledistracted,driveswithoutaseatbeltandlivesinaganginfestedneighborhood.Frankly,youworrythatcri>calemployee'sgoingtodieorbekilled,ormaybejustgotoworkforsomeoneelse(givingyou"thefinger"onthewayout).Ifthathappens,howwillyougetatalltheirencryptedworkmessagesandfiles?Willallthatworkproductbelost?

•  Escrowingencryp>onkeysallowsyoutogetacopyofotherwiseunavailableencryp>onkeysinavarietyofcarefullypredefinedemergencysitua>ons.Companiesnormallypayextraforthis"insurance."Keysrecoveredviaescrowwilltypicallyhavetheassociatedcertrevokedatthesame>me.

75

"It'sWorthIt.IDOWantToEncryptMyMessage‐‐HowDoIDoThatInThunderbird?"

76

“WhenIGetASignedandEncryptedMessage,WhatWillItLookLike?”

77

WhoSignedThatMessage?(Note:ItMayNotBeThePersonWhoSentTheMessage)

78

Addi5onalImportantS/MIMECaveats

•  S/MIMEencryptstheBODYofthemessage,ONLY.S/MIMEDOESNOTENCRYPTTHESUBJECTHEADER(oranyothermessageheader).Therefore,doNOTputanythingthatneedstobekeptconfiden>alintheSubjectofanencryptedmessage.Infact,youmaywanttogetinthehabitofneverpulngANYTHINGintothesubjectlineofencryptedmessages.

•  Encryptedmessagebodiescannotbeautoma>callyscannedonthenetworkforvirusesorothermalware.

•  SomemailinglistprogramsmaystripaPachments(includingp7sdigitalsignatures).Ifthathappens,yoursignaturewon’tvalidate.Ifyousendmessagestomailinglists,youmaywanttomanuallydisabledigitalsigningformessagestothoselists.

79

VIII.WhatIfIWantToUseOutlookInsteadofThunderbird?

80

OutlookOnAppleOSXUsestheAppleKeychain;ToDoS/MIMEwithOutlook,WeNeedToGetOurCertIntoIt

81

Can’tfindKeychainAccess?CheckApplica>ons‐‐>U>li>es

Impor5ngOurKey/Cert

82

SuccessImpor5ngOurKeyandCert

83

Nowwe’rereadytolaunchOutlook…

Outlook’sOpeningScreen…

84

Outlook‐‐>Preferences…

85

Accounts

86

AdvancedBu_on…

87

PickingACertontheAccountSecurityTab

88

89

WhatTheSenderSeesWhenSendingASignedMessageinOutlook

90

OutlookAsksForConfirma5onTheFirstTimeItUsesYourPrivateKey/Cer5ficate

91

WhatTheRecipientSeesInOutlookWhenGemngAMessageThat’sSigned

92

WhatIfWeWantToEncryptAMessage?

93

IX."WhatIfIUseGmailWebEmailAndIWanttoDoS/MIME?"

94

GmailDoesNOTNa5velySupportS/MIME

•  YouCANdoS/MIMEwithaGmailaccountifyoureadyourGmailviaadedicatedmailclient(suchasThunderbirdorOutlook)

•  However,ifyoureadyourGmailviaGmail’swebemailinterface,youwon’tbeabletona>velyS/MIMEsignorencryptyourmailtraffic.Why?Well,rememberthatGmail’sbusinessmodelisbasedaroundsellingcontextualads(e.g.,ifyousendanemailmessagetalkingaboutgoingonvaca>ontoHonolulu,don’tbesurprisedifyousuddenlystarttoseeGmailadsforairfaretoOahuordiscounthotelroomsoverlookingAlaMoana).

•  Fortunately,youcangetathirdpartybrowserplugin,Penango,thatwillhelp.PenangoisfreeforfreeGmailaccounts.ThankyouPenango!(clickonthe“Pricing”linktorequestadownloadlink)

95

96

OnceYouHavePenangoInstalled,OpenPenango’sPreferencesinFirefox

97

PlugInYourGmailAddress

98

Uncheck“Automa5callyencryptnewmessages”

99

ComposingaSignedGmailMsgWithPenango

100

[someaccountdetailselidedabove]

SomePenango‐RelatedSendingIdiosyncrasies•  WhenyousendasignedorencryptedmessageusingPenango,the

messagegetssubmiPed“outside”ofGmail'swebinterface(e.g.,viaSMTPStosmtp.gmail.com).ItdoesNOTgetsentwithintheGmailwebinterface.ThisisnecessarybecausePenangoneedstosetthetop‐levelmessageContent‐TypeappropriatelyforS/MIME.

•  Theysubmitviaport465(grr!)andnotSTARTTLSonport587;ifproxiesareinuse,Penangowillendeavortousethem,too.

•  TheIPofthehandoffhostdoesappearintheGmailheaders.

•  Thebodyofthemessagemaybebase64encodedevenifyou'rejustsigningwhatwasaplain‐text‐onlymessage,andPenangousesalong/uglynameforthe.p7saPachment

•  Speakingof,somemessagetext/messageformalngmaymakeitappearasifyoumustusePenangotoprocessaPenango‐generatedS/MIMEmessage.That'sanincorrectimpression.

101

X.HardTokens/SmartCards

102

Alterna5vesToStoringYourKeysandCertsOnYourDesktoporLaptop

•  Inhighereduca>on,manyusersdon'thaveacleanone‐to‐onemappingofuserstosystems.

•  Forexample,asecurityconscioususermighthavebothadesktopandalaptop,andmightwanttousetheircer>ficatesonboththosesystems,butmightnotwanttoleavetheircreden>alsstoredonmul>plesystemsiftheydon'thaveto.

•  Alesswell‐offusermightnothaveasystemoftheirown,workingfromsharedsystemsinacampuscomputerlab,instead.Obviouslyitwouldbebadforthatusertodownloadandinstalltheircreden>alsonasharedsysteminthatlabifthatsystemwillsoonbeusedbysomeoneelse,oriftheymaybeassignedtousesomeothersystemthenext>metheyvisitthelab.

•  WhatwereallyneedisawayforuserstosaveandcarrytheirS/MIMEcertswiththemwherevertheygo.

103

USB‐FormatPKIHardTokens•  USB‐formatPKIhardtokenslookalotlikearegularUSBthumb

drive,butaUSB‐formatPKIhardtokenisactuallyacompletelydifferentanimalthatjustcoincidentallylookslikeathumbdrive.

•  Specifically,aUSB‐formatPKIhardtokenisactuallyahighlyspecializedsecurecryptographicprocessor.Correctlyconfigured,itallowsyoutosaveandUSEyourS/MIMEkeysandcer>ficate,butwithoutpulngthosecreden>alsatriskofbeing"harvested"/stolen.Thesedays,withallthecreden>alharves>ngmalwarethat'soutthere,that'saprePycoolthing.

•  Infact,USB‐formatPKIhardtokenshavetheabilitytopoten>allygenerateprivate/publickeypairs*onthetokenitself*,sothattheprivatekeyNEVERleavesthetoken,althoughwewillnotbetakingadvantageofthatcapabilityduringtoday'ssession.

104

SafeneteTokenPRO72K•  ThroughthegenerosityofChen

ArbelatSafenet,we'reabletoprovideeachMAAWGS/MIMEtrainingpar>cipantwithafreeUSBformatPKIhardtokentoday,theSafeneteTokenPRO72K,aswellasthedriversodwareanddocumenta>on.Thankyou,ChenandSafenet!

•  Thistoken,formerlymarketedbyAladdin,isthemostpopularUSBformatPKIhardtokenusedinhighereduca>on,andispar>cularlyniceifyouworkinacrosspla}ormenvironmentsinceitissupportedunderMicrosodWindows,MacOSX,andLinux.

Imagecredit:hPp://commons.wikimedia.org/wiki/File:EToken_PRO_USB.jpg105

SafenetDrivers,LocalTokenManagementSoIware,AndDocumenta5on

•  Mostsystemswillrequiretheinstalla>onoftokendriversand/orlocaltokenmanagementsodware(soyoucanloadyourexis>ngcer>ficateontothetoken).WithSafenet'spermissionwearemakingthatsodware,anddocumenta>onforthisproduct,availabletoyouforinstalla>onviaCD‐ROM.WeaskthatyourespectthiscopyrightedsoIware:pleasedoNOTredistributeit!

•  Youshouldseethreefiles:‐‐SAC8_1SP1.zip(Windows) 206.9MBMD5sum=55876842e6e13e6c8ee6cdf9dd16986a‐‐610‐011815‐002_SAC_Linux_v8.1.zip 42.2MBMD5sum=d66c9ff919f3b35180dba137857eb88c‐‐610‐001816‐002_SAC8.1Mac.zip 18.2MBMD5sum=c2e9e9b0e2706ffab310538574cf009b

106

InstallingOntheMac

•  InserttheCD‐ROManddragthe610‐011816‐002_SAC8.1Mac.zipfiletoyourdesktop.UnzipitwiththeArchiveU>lity,Stuffit,orwhateverapplica>onyounormallyusetounzipfiles.Youshouldendupwithafoldercalled"SAC8.1.0.5"withtwosubfolders:"Documenta>on"and"MacInstaller."

•  READTHEDOCUMENTATIONINTHEDOCUMENTATIONFOLDER!Inpar5cular,readtheAdministrator'sGuideandreadtheReadMefile,par5cularly"KnownIssues/Limita5ons"

•  Really,Ikidyounot,readthedangdocumenta5on,please!

•  ThengototheMacInstallerfolder,andruntheinstallerthat'sinthere:SafeNetAuthen>ca>onClient.8.1.0.5.dmg

•  Whenyoumountthatdmgfile,youwillseeInstallSafeNetAuthen>ca>onClient8.1.mpkg

•  Installit.You'llneedtorebootwhenitfinishes107

FirefoxSecurityModule

•  Asmen>onedinthedocument(whichyouAREgoingtoread,right?)whenyouinstalltheSafenetAuthen>ca>onClient,itdoesn'tautoma>callyinstallthesecuritysecuritymoduleinFirefox.Youneedtodothatmanually.

•  Firefox‐‐>Preferences...‐‐>AdvancedIntheEncryp>ontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,Modulefilename,enter:/usr/local/lib/libeTPkcs11.dylibIntheConfirmwindow,clickOK

•  RepeatthisprocessforThunderbird,too.

108

NowLaunchtheSafeNetAuthen5ca5onTools

109

GoToTheGearMenu("Advanced")

110

ViewTheToken,ThenIni5alizeIt

111

ViewTheToken,ThenIni5alizeIt

112

EnterYourNewPasswordsandThenGoToTheAdvancedScreen

113DO*NOT*FORGETTHESECRITICALPASSWORDS!

BeSureToAskfor2048bitkeysupport

114DO*NOT*SELECTFIPSMODE!

NowActuallyIni5alizeTheHardToken...

115

LoginToTheHardToken

116

You'llNeedToEnterYourPasswordForIt

117

GoToTheImportCertScreen

118

ImportOurCer5ficate

119

Pickthep12backupfilewesavedearlier.

Notethatyou'llneedtoprovidethepasswordforthatbackupfileinordertoloaditontothetoken.

BeSureToIncludetheCACertsOnTheToken,Too

120

ViewTheCertsOnTheHardToken

121

TellThunderbirdToUseTheHardToken;WeNeedToUnlockTheToken,First

122

We'reThenShownTheTokenandItsCert

123

NowWeGoToThunderbirdAccounts‐‐>Security,AndSelectTheHardTokenToUse

124

AndAtThatPointWe'reGoodToGoUsingTheHardTokenForOurCert...Huzzah!

125

XI.DoingAllThis"AtScale"

126

GetALi_leExperience,First•  It'ssome>mestemp>ngto"swingforthebleachers,"tryingtohita

grandslamthefirst>meyou'reuptobat,wheninfacttheprudentthingmightbetomakesureyoujustgetonbase.Thisistrueforclientcerts,asforbaseball.

•  I'dliketourgeyou,beforeyouembarkonabigprojectinvolvingclientcerts,orevenapilotscaleprojectthatmightinvolvesomeofyourmostsensi>vesystems,tofirstspendaliPle>mejustexperimen>ngwithclientcerts.

•  Getfreeclientcertsforyourself,andforyourteammembers.

•  Usethemforrela>velylowimpactac>vi>es,suchassigningyouremail,whileyougainfamiliaritywiththem.

•  Trypurchasingandusinghardwaretokensorsmartcards.Whatworks?Whatdoesn'tworkonyourdevicesorinyourenvironment?Inanexperimentalenvironment,you'vegotthefreedomtopushtheenvelopewithoutworryingtoomuch.

127

WhatWorksForOnesie‐TwosieWon'tWorkForTensofThousands

•  Theprocessesyousawearlierinthissession,whiletheycanbemadetoworkforasmallnumberoftechnicallysavvyusers,won'tworkifyou'retryingto"cookforthousands"(ortensofthousands)ofusers.Amorescalableapproachisneeded.

•  Forexample,ifyou'regoingtoinstallcer>ficatesdirectlyonusersystems,youneedabePerwaytodropcer>ficatesonthosesystems,andabePerwaytoconfiguretheuser'sapplica>onstoknowaboutandusethem(InCommonwillbe/isworkingonthis).

•  Similarly,ifyou'regoingtousehardwaretokens,instead,youneedenterprisegradetoolstoprovisionandmanagethosedevices.Thosetoolscanbepurchased,ormaybewriPenlocally.

•  Heck,ifwe'rethinkingaboutabigdeployment,weevenneedtocarefullyconsiderwhatSORTofhardwaretokenswemightwanttouse...USBformatPKIhardtokensareNOTtheonlyop>on.

128

Smartcards?•  TheUSBformatPKIhardtokensyoureceivedarebasicallya

smartcardwithanintegratedsmartcardreader(withaUSBinterface).Thatcanbeveryconvenient–it's"allinone."

•  However,smartcardstendtobecheaperthanUSBformattokens,whichcanbeimportantifyou'rebuyingthousandsofthem.Ontheotherhand,theydoneedsmartcardreaderswhereverthecardsaregoingtobeused(fortunatelysmartcardreadersneednotbeveryexpensive)

•  Adis>nctadvantageofsmartcardsisthattheycanbeusedasanemployeebadgeorIDcard,formaPedtoincludethingsliketheemployee'snameandpicture,amagstripeandoneormorebarcodes,whileALSOcontainingasmartcardinasecurecer>ficatestore.Thismaybethebestofallpossibleworlds.

•  Butwhatwillyoudofor...mobiledevices,suchassmartphonesortablets?

129

Slick‐SidedMobileDevicesandHardTokens

•  SinceMAAWGhasanewemphasison"mobile":‐),weshouldbesuretothinkabouthowwe'llintegratehardtokensorsmartcardswithmobiledevicesthatyourusersmayhave,suchastheiPad,theiPhone,Androiddevices,Blackberries,etc.

•  Theproblemisthatmosthardtokens,andmostsmartcardreadersforthatmaPer,connectviaUSB.SomeportabledevicesmaynothaveareadilyaccessibleUSBportintowhichyoucanplugahardtokenorsmartcardreader.

•  Thesolu>on?Youcanbuyso‐calledBluetoothsmartcardreaders(some>mesalsoknownas"CACsleds")toallowBlackBerriesorselectedothermobiledevicestoaccesssmartcardsviasecureBluetooth,buttheymaycost$200+.Seewww.apriva.com/products/iss/authen>ca>on/reader

•  Android?iPhone?SeehPp://www.biometricassociates.com/products‐baimobile/smart‐card‐reader‐iphone‐android.html

130

WhatAboutDirectories•  Oneofthesubtlethingsthatcanreallymakelifeeasierifyou're

deployingclientcer>ficatesatscaleisadirectoryofallthepublickeysandcer>ficatesfortheusersyoumightneedtocommunicatewith(thatmeansthatpeopledon'tfirstneedtoexchangesignedemailmessagesbeforetheycanexchangeencryptedemailmessages).

•  Thatmethodofkeydistribu>onalsobreaksdownifyouneednon‐repudiablekeysfordigitalsigning,butescrowedkeysforencryp>on.Youneedanalterna>vesourceforkeysinthatcase.

•  Whenitcomestodeployingadirectory,deployingoneforyourcompanyisonething.Evendeployingadirectoryforanen>tyasbigasthefederalgovernmentissomethingthat'sdoable(heck,they'vedoneit!).Butit'snotcleartomethatthere'sascalableInternet‐widedirectorysolu>onthatwouldworktoholdclientcer>ficatesforallInternetusers(assumingeveryonehadthem).

131

PGP/GPG‐ishS/MIMEKeyservers?•  Ironically,oneofthethingsthatmakesInternetscaledirectories

difficultis...waitforit...spam.Canyouimaginehowmuchaspammerwouldlovetobeabletoharvestemailaddressesfor"everyoneontheInternet"fromasinglecentraldirectoryserver?

•  ThereisonecryptographicdirectorymodelthatseemstohaveworkedprePywellto‐date,andthat'sthePGP/GPGmodel.Userscansubmittheirkeysiftheywantto.Otheruserscanlookforkeysinthosedirectoriesiftheywantto.Ifyoucan'tfindtheoneyouneed,youcanalwaysfallbackonoldstandbyapproaches,likeaskinguserstosendyoutheirkeysdirectly.

•  I'vedevelopedaveryroughprototypeserverthatdemonstratesthatitisatleastconceptuallypossibletoconstructaPGP/GPG‐likekeyserverforS/MIME.Ifyou'reinterested,seehPp://pages.uoregon.edu/joe/simple‐keyserver/foradetaileddescrip>onofwhatIhaveinmind.

132

S/MIMEIsn'tTheOnlyUseforClientCerts•  Clientcer>ficatescanbeusedforabunchofthingsotherthanjust

signingorencryp>ngemail.

•  Forexample,clientcer>ficatescanalsobeusedtosigndocuments,orforauthen>ca>on,orasabuildingentrycreden>al.(Notethatifyou'reheadedinthe"authen>ca>on"or"buildingaccesscontrol"direc>on,youwillprobablyneedatradi>onalenterprisePKIdirectorytosupportthatapplica>on)

•  Onceyouhaveclientcertsdeployed,youmightbesurprisedathowmanydifferentwaystheycanactuallybeused.

133

SigningStuff(OtherThanJustUsingS/MIME)

•  Clientcertscandolotsmore,includingsigningdocuments...

•  SigningMicrosoIWorddocuments(Windowsonly),seehPp://pages.uoregon.edu/joe/signing‐a‐word‐document/

•  NeedtosigndocumentsonaMac?TryOpenOffice:hPp://>nyurl.com/openoffice‐signing

•  AdobehasanextensiveguidetosecuringPDFs,includinguseofdigitalcer>ficatesforsigningPDFs,see:hPp://>nyurl.com/adobe‐signing

134

Encryp5onUsingClientCerts(OtherThanS/MIME)

•  PGPWholeDiskEncryp5on(seethedatasheetlinkedfromhPp://www.symantec.com/business/whole‐disk‐encryp>on)

•  MicrosoIWindowsEncryptedFileSystemhPp://technet.microsod.com/en‐us/library/bb457116.aspx

•  IPsecVPNs(MostIPsecVPNsaredeployedwithoutuseofclientcer>ficates,howeveratleastsomeVPNscanbeconfiguredtouseclientcer>ficatesifdesired—see,forexample,hPp://www.strongswan.org/andhPp://www.cisco.com/en/US/docs/solu>ons/Enterprise/Security/DCertPKI.html)

135

Authen5ca5onUsingSmartCards/ClientCerts

•  RedHatEnterpriseLinuxSmartCardLoginSeehPp://>nyurl.com/redhat‐smartcards

•  WindowsAc5veDirectoryLoginwithSmartCardsSeehPp://support.microsod.com/kb/281245

•  OpenSSHauthen5ca5on(viathirdpartyX.509patches)hPp://roumenpetrov.info/openssh/

•  MacOSXhasdeprecatedna>vesupportforsmartcards,butthirdpartyprovidersdos>lloffersupport,seehPp://smartcardservices.macosforge.org/andhPp://www.thursby.com/mac‐enterprise‐management‐high‐security‐smart‐cards.html

136

Authen5ca5onUsingClientCerts(cont.)

•  ControllingaccesstowebcontentservedbyApachehPp://hPpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients(seealso)www.dwheeler.com/essays/apache‐cac‐configura>on.html

•  ControllingaccesstowebcontentservedbyMicrosoIIIS7hPp://technet.microsod.com/en‐us/library/cc732996%28v=ws.10%29.aspx

•  ControllingaccesstowirelessnetworksviaEAP‐TLS,includingconfiguringEduroam.See

hPp://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtmland

hPp://www.internet2.edu/presenta>ons/jt2011summer/20110710‐hagley‐eduroamtutorial.pdf

137

ClientCer5ficatesCanEvenPoten5allyBeUsedForBuildingAccessControlPurposes

138

XII.Don'tForgetAboutPolicies,GovernanceAndPoten5alLegalIssues

139

ClientCerts(TheTechnology)NeedtoBeSupportedByAppropriatePoliciesandGovernanceStructures

•  Inlookingatsuccessfuldeploymentsofclientcerts,suchasthefederalgovernment'sHSPD‐12CAC/PIVcardproject,oneofthethingsI'mstruckbyisthatitssuccessisnotjustatechnologicalthing,it'sasignthatappropriatepoliciesweredevelopedbythecommunity.

•  Ifyou'replanningondoingamajorclientcertproject,pleasebesureyouarealsoconsideringthepolicyimplica>onsofmovingtoclientcerts,notjustthetechnologyissues.

140

BeSureToKeepCorporateCounselInTheLoop,Too

•  Why?Well,letmegiveyouoneclosingexample...strongcryptographyisexportcontrolledbytheU.S.BureauofIndustryandSecurity,includingbeingsubjecttothe"deemedexport"rule.Ifyouplantoissueclientcer>ficatestoallyouremployeesrememberthatsomeusers,asmen>onedatthebeginningofthistalk,maynotbeeligibleforaccesstostrongcryptographictechnologies,includingpoten>allyclientcer>ficates.Formoreonthispoint,pleaseconsultwithyouraPorneyregardingtheprovisionsofthe"DeemedExport"rule.Asastar>ngpoint,seehPp://www.bis.doc.gov/deemedexports/deemedexportsfaqs.html

•  Increaseduseofencryp>onforofficialrecords,mayalsoraiselongtermrecordmanagementissues.

141

ThanksfortheChanceToTalkToday!

•  Arethereanyques>ons?

142